Layer7 API Management

We need to protect our API from XSS threats. 

For example:

JSON Body:

{    "id": 1,    "name": "<script>alert123</script>",    "price": 12.50,    "tags": ["home", "green"]}

This can be blocked using 'Protect against code injection' assertion. 

Options selected: 'HTML/JavaScript Injection(Cross Site Scription)'. 

But how about a case where a code is injected using encoded values:

{    "id": 1,    "name": "%3Cscript%3Ealert123%3C%5Cscript%3E",    "price": 12.50,    "tags": ["home", "green"]}

Where decoded values are listed below:

%3C = <

%3E = >

%5C = \

"%3Cscript%3Ealert123%3C%5Cscript%3E = <script>alert123</script>

Gateway is unable to identify such threats and requests are getting processed. 

We do have tried by selecting an option 'XPath Injection' in 'Protect against code injection' assertion. 

Can someone help to fix this issue?

Regards

Kareem 

Kareem,

The text that is being interrupted is left URL encoded so no view as problematic. You will need to add in the Encode/Decode assertion to URL decode the payload prior to the Protect against code injection. I've attached a sample policy to help.

Sincerely,

Stephen Hughes

Director, CA Support

Thanks Stephen for a quick response. This is working for us. 

One more question, do we need to decode again before routing request to downstream services?

Regards

Kareem

That will depend on whether or not your downstream services can handle(or are expecting) the data being passed to the API to be left URL encoded.

Kareem,

If you decode the value before the validation, you don't need to decode the value again as it will already be. You may want to copy the original request out to a variable and decode then validate so that the original request can be passed through unchanged if it does not fail.

Sincerely,

Stephen Hughes

Director, CA Support